Enable/Disable users to change their password

[ghost]

Actually there are no steps to reproduce, we just need some feature that allows us enable/disable users to change their password.

[nextcloud-bot]

GitMate.io thinks possibly related issues are #10572 (Fix security settings if password change is disabled), #9474 (It'll be nice to have "disable password confirm" option), #4008 (Disable reset password link), #12386 (Disable password change with SSO), and #5746 (Create user failed / password policy crash).

[violoncelloCH]

why do you need to enable/disable users to change passwords?
passwords can be changed and users enabled/disabled independent from each other

[ghost]

why do you need to enable/disable users to change passwords?
passwords can be changed and users enabled/disabled independent from each other

Because people have one password for business system and they could change that only password in some subsystem like Nextcloud. Hopefully you understand what i mean.

[violoncelloCH]

ahh, sorry, I misunderstood your first post... now I get it
are you using LDAP?

[ghost]

ahh, sorry, I misunderstood your first post... now I get it
are you using LDAP?

Yes.

[kesselb]

https://docs.nextcloud.com/server/14/admin_manual/configuration_user/user_auth_ldap_api.html#configuration-keys

turnOnPasswordChange

[tomtomas99911]

Yes, you can disable password change in LDAP (also in user_SQL or SMTP login) but you cannot hide change password dialog - so users are confused.

We want to hide whole change password dialog, not only to disable password change.

[kesselb]

I suppose you talk about this page?

Password dialog is displayed when passwordChangeSupported.

server/settings/templates/settings/personal/security.php

Line 40 in 802a978

<?php if($_['passwordChangeSupported']) { ?>

server/lib/private/Settings/Personal/Security.php

Lines 70 to 73 in 4f75173

	$passwordChangeSupported = false;
	if ($user !== null) {
	$passwordChangeSupported = $user->canChangePassword();
	}

server/lib/private/User/User.php

Lines 326 to 328 in 1fd640b

	public function canChangePassword() {
	return $this->backend->implementsActions(Backend::SET_PASSWORD);
	}

server/apps/user_ldap/lib/User_LDAP.php

Lines 547 to 556 in 2d30511

	public function implementsActions($actions) {
	return (bool)((Backend::CHECK_PASSWORD
	| Backend::GET_HOME
	| Backend::GET_DISPLAYNAME
	| (($this->access->connection->ldapUserAvatarRule !== 'none') ? Backend::PROVIDE_AVATAR : 0)
	| Backend::COUNT_USERS
	| (((int)$this->access->connection->turnOnPasswordChange === 1)? Backend::SET_PASSWORD :0)
	| $this->userPluginManager->getImplementedActions())
	& $actions);
	}

The good news: This feature is already there 👍
The bad news: It does not work for you 🤣

[kesselb]

I did some testing (used https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ as ldap server) and it works for me.

No change password form by default. Only when above checkbox is enabled. You are using nextcloud 14? (i have tested it with 15)

[tomtomas99911]

I am using NX 14 with user_sql - so I need to hide password change dialog here...

[kesselb]

https://github.com/nextcloud/user_sql i see a "allow password change" checkbox there?

[tomtomas99911]

Yes - it disable password change - but it does not hide password change dialog. And author of user_sql said - "hiding password change dialog is feauture of nextcloud core not user_sql addon"

[kesselb]

@mlojewski-me would you mind to reopen nextcloud/user_sql#78 and have a second look?

UserBackend and GroupBackend extend from ABackend and both implement ISetPasswordBackend.

server/lib/public/User/Backend/ABackend.php

Lines 42 to 50 in b723a2b

	public function implementsActions($actions): bool {
	$implements = 0;
	if ($this instanceof ICreateUserBackend) {
	$implements |= Backend::CREATE_USER;
	}
	if ($this instanceof ISetPasswordBackend) {
	$implements |= Backend::SET_PASSWORD;
	}

Nextcloud asks the backend if a password change is possible (and if so shows the form)

server/lib/private/User/User.php

Lines 326 to 328 in 1fd640b

	public function canChangePassword() {
	return $this->backend->implementsActions(Backend::SET_PASSWORD);
	}

I guess you have to overwrite implementsActions and check if the user enabled password change with your backend.

[kesselb]

Thank you @tomtomas99911 for reporting this and answering all my questions 👍

[mlojewski-me]

@danielkesselberg issue reopened, I will check it soon

[tomtomas99911]

Any advance here please?

[mlojewski-me]

@danielkesselberg issue reopened, I will check it soon

Issue nextcloud/user_sql#78 resolved